error in secret or public key callback: The JWKS endpoint did not contain any signing keys

[hiteshjoshi]

Checklist

• I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

I am getting The JWKS endpoint did not contain any signing keys the keys are at https://api-dev.ploton.app/api/jwt/jwks.json

My code :-

import { Request, Response, NextFunction } from "express";
import JsonWebToken, { JwtHeader, SigningKeyCallback } from "jsonwebtoken";
import jwksClient from "jwks-rsa";

export const verifySession = () => {
  var client = jwksClient({
    jwksUri: process.env.JWKS_URI as string
  });
  function getKey(header: JwtHeader, callback: SigningKeyCallback) {
    client.getSigningKey(header.kid, function (err, key) {
      var signingKey = key?.getPublicKey();
      console.log(process.env.JWKS_URI)
      callback(err, signingKey);
    });
  }

  return async (req: Request, res: Response, next: NextFunction) => {
    if (!req.headers.authorization) {
      return res
        .status(401)
        .send({ success: false, message: "Authorization header is required" });
    }

    const token = req.headers.authorization.split(" ")[1];

    JsonWebToken.verify(token, getKey, {}, function (err, decoded) {
      if (err) {
        console.log(err);
        return res
          .status(401)
          .send({ success: false, message: "Invalid token" });
      } else {
        const userID: string = decoded?.sub as string;

        req.user = userID; // set the decoded token to the request object
        next();
      }
    });
  };
};

Reproduction

I am doing curl request as.

curl -X POST -H "Authorization: Bearer eyJraWQiOiJkLTE2OTQ3NTMxMDc3NjQiLCJ0eXAiOiJKV1QiLCJ2ZXJzaW9uIjoiNCIsImFsZyI6IlJTMjU2In0.eyJpYXQiOjE2OTUyODYyMzQsImV4cCI6MTY5NTI4OTgzNCwic3ViIjoiMmY5NzcxZmItNDAyYS00ZWU1LThkOWUtZjUzMWExMzllYzFiIiwidElkIjoicHVibGljIiwic2Vzc2lvbkhhbmRsZSI6IjhlYzNlOTE4LWI4MGUtNDkzNy1iMTRhLTZiNzhiY2M1YTA5NiIsInJlZnJlc2hUb2tlbkhhc2gxIjoiY2Y5YWM5NzQwZWEyMzdmNThmNmNkZWQ0ZjUzZjExYzNkZDgzNGU2ZDRhZTQ0YTg0YzMyZmNjNDcxNjU1ZTQyNyIsInBhcmVudFJlZnJlc2hUb2tlbkhhc2gxIjpudWxsLCJhbnRpQ3NyZlRva2VuIjpudWxsLCJpc3MiOiJodHRwczovL2Rldi5wbG90b24uYXBwL2FwaSIsInN0LXJvbGUiOnsidiI6W10sInQiOjE2OTUyODYyMzQzMDB9LCJzdC1wZXJtIjp7InYiOltdLCJ0IjoxNjk1Mjg2MjM0MzQ3fSwiY2xhaW1zIjp7IngtdXNlci1pZCI6IjJmOTc3MWZiLTQwMmEtNGVlNS04ZDllLWY1MzFhMTM5ZWMxYiIsIngtdGVuYW50LWlkIjoicHVibGljIiwieC1kZWZhdWx0LXJvbGUiOiJ1c2VyIn19.DkE0UU3_TBz6JTEmH08PWYyXv8Qb99Ktp3tmXWzAH0Qtgn9jMILoR3R29ncYLagLFFJw7nF4sICxbiTokj6PQL577sHwJAj0ZlObb58NcQnYyH7_RfUW3QIkPvXKlvWUpr0r-GawCLRM1HxAg5FRf6pJ69Hqmi3H8JdsTdI7FrMCtLpW7XGanuk9IVb9zeBEjgJjKEmD4rucgXSxm-zNcMjKjZyT_c9eHzzmEV7HuO2mJ4txe2_jjGKQWWleJXhtozzbw6oQpqpVqv8fWFkY7xKv_mITB5M3lbggGZfahjUmaB_okrNJH91nCH-xryh6vDtuhEbZgnch1vGSXPCpsg" localhost:9000

{"success":false,"message":"Invalid token"}

Logs

$ bun server.ts
[0.03ms] ".env"
23-09-22T04:27:52.781Z jwks Configured caching of signing keys. Max: 5 / Age: 600000
23-09-22T04:27:52.781Z jwks Configured caching of signing keys. Max: 5 / Age: 600000
⚡️[server]: Server is running at http:https://localhost:9000
23-09-22T04:28:00.899Z jwks Fetching signing key for 'd-1694753107764'
23-09-22T04:28:00.899Z jwks Fetching keys from 'https://api-dev.ploton.app/api/jwt/jwks.json'
localhost - - [22/Sep/<concealed by 1Password>23:04:28:00 +0000] "POST / HTTP/1.1" - - "-" "curl/8.1.2"
23-09-22T04:28:01.347Z jwks Keys: [ { kty: 'RSA',
    kid: 'd-1694753107764',
    n: 'uLEf5SMBJkDFoRkUHM_uJbjNHe6fnSdf-43lmkOJo3XBcXOHSU-JHyX0vefEhYkdaZetDo6k6FC4LX-BJpIjkD6XerEJCbHymnMPaF-hGkbmAm2-J5vrXpNZjtWNNFI0UMgtIXFLatkqZVmBF0by6pHVqvjgwjaLdIZMen4v4CrSNrij2SxNyMoSNHrjXwDuV3n-Sp7XwrOydWUwBYpdUnd2Lf5_REq-O8gkopwgT2F4KWTWmbnG9CW4pogkNL4WumWMxv5ppIE6W0V4jCZ1_8Md3pvp2GPwKdaLpTeCwsO25pm_3i-sgpKX_jZ5BqirMJGAQ0um-H4h798riSUBhw',
    e: 'AQAB',
    alg: 'RS256',
    use: 'sig' },
  { kty: 'RSA',
    kid: 's-be9f15b0-8366-485b-b4c4-99badb008086',
    n: 'wAEyyNFUwMwmn1mkWKum4fN6-r66YQrZv91TfDX4JtFcyFWhrGXKFw53KE13cvN4Z5jTFtw8hh1lkNSvPHogj9pg6b3r69AnNkCRwcHgIeNNhs2jG9XW4WAuwaFnUiPVavnoDbLZDi8NUVqE1UxDztbiZhodfKdAkRNkU9gKNsSdnRnGGgWc_MBz1L3d3k4eexSwAQQNR4f3kK1wqArizyxkDNEV3cYpEfBVkHKwRxYpRHividATzeYxIAkBgJnvHZft8YXNKHwLPvPE9bRLx2Oz8l6bnD-P4AxjjR5KdXN3F-sTWUPwKxm1p_GFlvqTrERjbbrUul2_hDhz3-txuw',
    e: 'AQAB',
    alg: 'RS256',
    use: 'sig' } ]
{
  stack: "Error: \n    at <anonymous> (/Users/hitesh/dev/jwt_supertokens_hasura/node_modules/jsonwebtoken/lib/JsonWebTokenError.js:7:2)\n    at <anonymous> (/Users/hitesh/dev/jwt_supertokens_hasura/node_modules/jsonwebtoken/verify.js:105:10)\n    at <anonymous> (/Users/hitesh/dev/jwt_supertokens_hasura/verify_session.ts:12:5)\n    at processTicksAndRejections (native)",
  name: "JsonWebTokenError",
  message: "error in secret or public key callback: The JWKS endpoint did not contain any signing keys",
  toString: [Function: toString]
}

jwks-rsa version

^3.0.1

Node.js version

v20.7.0

[hiteshjoshi]

The keyObject here is coming empty.
https://github.com/auth0/node-jwks-rsa/blob/master/src/utils.js#L16

[hiteshjoshi]

It wasn't you! It was jose panva/jose#579

[panva]

"It" is neither jose nor jwks-rsa, it is in fact the reality of using Bun with fingers crossed hoping its compatibility with node's APIs and module resolution is without flaws.

We can help resolve the issue in #374 but ultimately it's Bun's inability to have a CJS module's require() call resolve to the required module's require export. In addition, Bun doesn't even support the node APIs it would need if it did so, see https://bun.sh/docs/runtime/nodejs-apis#node-crypto (crypto.KeyObject and crypto.createPublicKey) all missing, meaning even if Bun used the node export of jose, it wouldn't work for you.

#374 actually utilizes the fact that jose is a universal library with a bun entrypoint pointed to a build which uses WebCryptoAPI. In essence what you objected to in panva/jose#579 is indeed what will actually allow you to use jwks-rsa when #374 is merged.